Share this story

October is Cybersecurity Awareness Month here in the United States, which is a good thing, because we come down with more PC botnet infections than any other country in the world. Microsoft reports 2.2 million US PCs hijacked for cybercrime or distributed denial of service (DDOS) attacks on websites in the first half of this year.

And in late September, police in the greater New York area busted over 60 members of a botnet ring whose plan was to deploy the Zeus Trojan to clean out banks.

Botnets "are the launch pad for much of today's criminal activity on the Internet," Microsoft security expert Adrienne Hall warned last week. "In many ways, they are the perfect base of operations for computer criminals."

So what's the government doing about botnets? The Federal Communications Commission is running a proceeding to identify the five most critical cybersecurity threats to the communications infrastructure and come up with solutions. And various bills are floating around Capitol Hill that would unify the nation's already hyperbalkanized cybersecurity apparatus, so Uncle Sam can think with one brain about the problem (Senator Lieberman's here; Senator Rockefeller's here).

These measures ought to bear fruit in the next geological era or two. But in the meantime, how about we do what Japan did and set up a national botnet fighter?

Cyber Clean does the usual good stuff, trying to raise public awareness about the dangers of bots. A "bot"—in case you've gotten this far and are still wondering—is a piece of downloadable malware that allows a remote user to control your computer. PCs often become bot zombies because their owner was "phished"—fooled into clicking an e-mail attachment designed to launch the infection.

Once in control of your computer, botnet baddies can follow your keystrokes or turn your machine into a DDoS attack weapon.

But the Cyber Clean operation goes a massive step further than public education. It searches for bot-infected PCs, then engages in a series of "attention rousing activities" to get the user to realize that her computer has been hijacked.

Stage one of the ongoing campaign involves the regular deployment of "honeypot" PCs, essentially decoys that are easy for botnets to find and infest. Once the honeypot picks up enough bot data, Cyber Clean engineers move to stage two: scouring the machine's log files for intelligence on actual users who have caught the infection.

In stage three, the relevant ISPs are alerted. They send those users an "attention rousing mail" directing them to a customized "bot deinfestation" website, where (in stage four) they receive downloads and instructions on how to clean their computer and prevent future attacks.

17 million bots

One aspect of Cyber Clean's online documentation that's a bit confusing is whether the operation sends out email or snail mail alerts, or both (the words "mail" and "email" seem to be used interchangeably). But the project's latest "activity report" says that, as of August, it has collected almost 17 million bot samples and deployed over half a million "attention rousing" messages.

An estimated 32.3 percent of users contacted actually go to their deinfestation page and download the relevant cleaning software, according to the organization. The campaign says it has counted 1,312,083 disinfectant downloads so far.

It's not like nobody's doing anything about bots in the US. Comcast has just deployed a new botnet alert system for its customers. And, of course, there are a wide variety of security guard systems available to consumers.

But in its filing with the FCC's cybersecurity proceeding, Microsoft seems skeptical that the botnet problem can be fixed on an individual level.

"For various reasons, the awareness and availability of security products does not always result in their deployment and maintenance and, ultimately, results in inadequate risk management," the commentary notes. "As a result, society needs to explore ways to implement collective defenses to help protect consumers who may be unaware that their computers have been compromised, and to reduce the risk that these comprised devices present to the ecosystem as a whole."

The software giant cites Cyber Clean as one of a number of international projects that have "had varying degrees of effectiveness." Maybe it's time to test its effectiveness here in the United States of Bots, too.

Share this story

Matthew Lasar
Matt writes for Ars Technica about media/technology history, intellectual property, the FCC, or the Internet in general. He teaches United States history and politics at the University of California at Santa Cruz. Emailmatthew.lasar@arstechnica.com//Twitter@matthewlasar

55 Reader Comments

What's to stop the bad guys from sending fake "attention rousing mails" which contain links to more malware?

<rant>Why aren't digital signatures mandatory for e-mails? (and regular people think of them in a similar way to SSL certificates for online banking - i.e. only trust e-mails from your ISP, etc when there is a big green tick in the "from" field)</rant>

Yes, yes... I am just dying to have government and industry collaboratively spy on my computer for the sake of 'security'...

I think most people would rather have security from completely unknown information thieves than security from the government. At least with the government, you would know who the blame when your credit card gets charged 10k.

...or just use an Operating System that isen't the target of these attacks.

Yeah! And then the whole population can switch to that OS, and then -that- can be the new target! Hell, we can just keep swapping Operating Systems! It'll be like musical chairs!

On topic, as far as a country-wide counter-measure is concerned, this is pretty cool. Not flawless, but it's a positive, non-invasive effort to combat botnets. As 'that guy' that everyone and their dog calls to handle PC troubleshooting (in my family/circle of friends at least), I'd appreciate a simple resource with botnet removal tools to expedite the job.

...or just use an Operating System that isen't the target of these attacks.

Yeah! And then the whole population can switch to that OS, and then -that- can be the new target! Hell, we can just keep swapping Operating Systems! It'll be like musical chairs!

...not really. You think that linux isn't attacked just because it isn't used? -_-You don't think that hackers would like to take over most of the servers on the Internet? More importantly: most of the Universities in the world? Heck, do a port scan on any University's block, and you'll find many servers on the network (and on Internet2) that are running very old versions of Apache and Ubuntu 8.04 or an old RHEL--and the webpage they give you says it all right on it! Most enable SSH 1, etc.

Here in the US, we may have a double-whammy on the trust front: we don't seem to trust our government, and we don't seem to trust our ISPs. For a program like Japan's CCC to even start to work, trust in both is required. It actually sounds like a good idea, but I can just imagine the uproar. Japan's 32.3 percent positive response on the notifications isn't really all that hot, and I would expect it to be even lower here. Still worth trying, though, imo. If handled properly, it could work - eventually.

Botnets "are the launch pad for much of today's criminal activity on the Internet," Microsoft security expert Adrienne Hall warned last week.

Question: Are not the vast majority of botnets running on older versions of Windows? Why don't we quit talking in the abstract and mandate that Microsoft clean this up? How many more years, hell, decades is this going to continue?

Botnets "are the launch pad for much of today's criminal activity on the Internet," Microsoft security expert Adrienne Hall warned last week.

Question: Are not the vast majority of botnets running on older versions of Windows? Why don't we quit talking in the abstract and mandate that Microsoft clean this up? How many more years, hell, decades is this going to continue?

Have you not noticed Microsoft basically begging people to move off Windows XP and (*shudder*) IE6? Yet every time they do, the Internet blazes with, "Stop forcing us to upgrade!". They're damned if they do, damned if they don't.

What's to stop the bad guys from sending fake "attention rousing mails" which contain links to more malware?

<rant>Why aren't digital signatures mandatory for e-mails? (and regular people think of them in a similar way to SSL certificates for online banking - i.e. only trust e-mails from your ISP, etc when there is a big green tick in the "from" field)</rant>

Funny that was my first response too >_>

And, yes, something really has to be done. To be honest, everyone should move to google apps (ie gmail). I know everyone hates to trust google, but they already own all the information, and it will save billions a day in wasted time and bandwidth and disinfecting. Of course, the AV companies would loose a lot

gwenkhan wrote:

Have you not noticed Microsoft basically begging people to move off Windows XP and (*shudder*) IE6? Yet every time they do, the Internet blazes with, "Stop forcing us to upgrade!". They're damned if they do, damned if they don't.

It is just unfortunate so many companies have legacy software. Hell, cobol programmers still make 6 figures straight off simply because of all the legacy systems.

Botnets "are the launch pad for much of today's criminal activity on the Internet," Microsoft security expert Adrienne Hall warned last week.

Question: Are not the vast majority of botnets running on older versions of Windows? Why don't we quit talking in the abstract and mandate that Microsoft clean this up? How many more years, hell, decades is this going to continue?

And how exactly do they do that? Most of the computers are infected because they have automatic updates turned off, otherwise they would have got a patch to stop the attack vector or been moved up to IE7.

There is no legitimate way to fix the computer remotely at this point, and I'm not sure this vigilante approach is legal in Japan or the US.

And how exactly do they do that? Most of the computers are infected because they have automatic updates turned off, otherwise they would have got a patch to stop the attack vector or been moved up to IE7.

There is no legitimate way to fix the computer remotely at this point, and I'm not sure this vigilante approach is legal in Japan or the US.

Any computer that is acting as part of a botnet is by definition illegal. This is like people dropping lit matches in a wildfire area. Shutting them down is fair game.

So are people saying that there is absolutely nothing that Microsoft, sole owner of Windows source code, can do? Hell, the botnet malware writers can control these machines, why can't Microsoft? Or is their corporate pride outweighing their admission of being both the source and solution to the problem?

...or just use an Operating System that isen't the target of these attacks.

Yeah! And then the whole population can switch to that OS, and then -that- can be the new target! Hell, we can just keep swapping Operating Systems! It'll be like musical chairs!

...not really. You think that linux isn't attacked just because it isn't used? -_-You don't think that hackers would like to take over most of the servers on the Internet? More importantly: most of the Universities in the world? Heck, do a port scan on any University's block, and you'll find many servers on the network (and on Internet2) that are running very old versions of Apache and Ubuntu 8.04 or an old RHEL--and the webpage they give you says it all right on it! Most enable SSH 1, etc.

Yes, it isn't attacked due to popularity. I watched as a Unix security admin injected a tiny bit of code and gained root from outside the university on a fully patched server at a huge university (we host internet 2 if that gives you a clue). If you don't think Apache has vulnerabilities, then you are mistaken.

The problem with windows doesn't really stem from the OS as much as it does from stupid users. People click on link, fake pop-ups, etc... and willing install viruses because they have no clue what they are doing. A fully patched OS is pretty secure, it's always the user that is at fault. People need to be educated, but they just keep clicking away and never try to learn anything.

The US is the most privileged group of dumbasses I have ever seen in the world. We have people that would bitch about "freedoms" and other political bullshit, but they are the ones that are infected and too dumb to realize it.

...not really. You think that linux isn't attacked just because it isn't used?

Er, yes.There's no point in sending a "type SUDO INSTALL MALWARE.EXE and then enter your admin password" eMail, because it's contents will only apply to a microscopic fraction of people.

IBaStudent wrote:

You don't think that hackers would like to take over most of the servers on the Internet? More importantly: most of the Universities in the world? Heck, do a port scan on any University's block, and you'll find many servers on the network (and on Internet2) that are running very old versions of Apache and Ubuntu 8.04 or an old RHEL--and the webpage they give you says it all right on it! Most enable SSH 1, etc.

What does that have to do with anything ?Phishing attacks are specifically target at DESKTOP machines - ie, machines with physical users sat in front of them, who can allow the malware access to the system. It's a none-starter for attacking a web server !

...not really. You think that linux isn't attacked just because it isn't used?

What does that have to do with anything ?Phishing attacks are specifically target at DESKTOP machines - ie, machines with physical users sat in front of them, who can allow the malware access to the system. It's a none-starter for attacking a web server !

Web servers are very useful for DDOS and sending spam. Attacking web servers is a very profitable venture, considering that they have bigger bandwidth and more often than not, less monitored.

Any computer that is acting as part of a botnet is by definition illegal. This is like people dropping lit matches in a wildfire area. Shutting them down is fair game.

So are people saying that there is absolutely nothing that Microsoft, sole owner of Windows source code, can do? Hell, the botnet malware writers can control these machines, why can't Microsoft? Or is their corporate pride outweighing their admission of being both the source and solution to the problem?

This is one of those situations where two wrongs don't make a right.

No one should be allowed to break into another person's computer, even to stop someone else who has already broken into the computer.

The best thing we can do is to notify the owner of the issue and hope they fix it, while also hunting down those that created the malware.

What does that have to do with anything ?Phishing attacks are specifically target at DESKTOP machines - ie, machines with physical users sat in front of them, who can allow the malware access to the system. It's a none-starter for attacking a web server !

...you think that it's impossible to attack someone without a user doing something? >_>I don't think you realize how easy it has been to take over a Windows Server with a DNS attack or something (and by doing this you can take over other machines on the network, someone who accesses that webserver, etc.)And, this is about a botnet, not phishing. Having a 60+ mbps uplink is a lot more powerful than only having a measly consumer 0.4 mbps up. Server OS's also allow more simultaneous connections, etc. The thing is, Linux is just more secure, period. There's been, what, one LOCAL elevated code exploit recently, and only on certain 64-bit systems? (as in, the attacker has to already have access to the machine in the first place)On Windows, we get a huge list of remote code exploits each month that affect just about every version. Linux also gets exploits patched within a few hours to a few days. Windows might take longer than a month.

I think it would be cool to have something like this in the States. Except for one problem. A lot of people here (probably other places too) are arrogant and stupid. If they got a letter telling them to go to the disinfectant website, then probably only half would go. They other half would think "There ain't nothing wrong with my computer. Just because I downloaded the folder to help the nigerian prince reclaim his money, doesn't mean anything is wrong with my computer."

But still even if only half the people who got the letter, and actually disinfected their computer, that would still be about 1.1 million less botnets....

No one should be allowed to break into another person's computer, even to stop someone else who has already broken into the computer.

So no one should be able to raid a meth lab filled with explosive chemicals that could take down the neighborhood because...?

Botnets are a genuine problem, not some theoretical example of 'personal rights'. They are a tool used for harming others and causing significant financial loss. They have no 'right' to be connected to the internet.

I'm not suggesting that the machines be wiped - simply have their network connectivity disabled with a message left explaining what happened. The alternative, as has been amply demonstrated, is simply unacceptable. Sorry if a few eggs get broken.

...or just use an Operating System that isen't the target of these attacks.

Yeah! And then the whole population can switch to that OS, and then -that- can be the new target! Hell, we can just keep swapping Operating Systems! It'll be like musical chairs!

...not really. You think that linux isn't attacked just because it isn't used? -_-You don't think that hackers would like to take over most of the servers on the Internet? More importantly: most of the Universities in the world? Heck, do a port scan on any University's block, and you'll find many servers on the network (and on Internet2) that are running very old versions of Apache and Ubuntu 8.04 or an old RHEL--and the webpage they give you says it all right on it! Most enable SSH 1, etc.

Yeah I mean why attack vulnerable gullible majority when you can hack websites and universities with little to no monetary gain whatsoever.

People who have this idea that they are unhackable are a huge security risk in itself.

I'd also like to remind you is all it takes to fuck linux is get idiots to put in their password. With good enough social engineering someone will install something whether or not they have to put a password in.

...or just use an Operating System that isen't the target of these attacks.

Yeah! And then the whole population can switch to that OS, and then -that- can be the new target! Hell, we can just keep swapping Operating Systems! It'll be like musical chairs!

...not really. You think that linux isn't attacked just because it isn't used? -_-You don't think that hackers would like to take over most of the servers on the Internet? More importantly: most of the Universities in the world? Heck, do a port scan on any University's block, and you'll find many servers on the network (and on Internet2) that are running very old versions of Apache and Ubuntu 8.04 or an old RHEL--and the webpage they give you says it all right on it! Most enable SSH 1, etc.

Yeah I mean why attack vulnerable gullible majority when you can hack websites and universities with little to no monetary gain whatsoever.

People who have this idea that they are unhackable are a huge security risk in itself.

I'd also like to remind you is all it takes to fuck linux is get idiots to put in their password. With good enough social engineering someone will install something whether or not they have to put a password in.

Ah, sorry, yes, I agree with you, for phishing and such, but for botnets and actually doing serious damage, a university has much more potential.

And I wholeheartedly agree with you on that "unhackable" part! One of my friends on Facebook got clickjacked a posted a malicious URL and someone on a Mac said "lol i clicked on it anyway cuz i'm on a mac so it can't infect me". -_-

...not really. You think that linux isn't attacked just because it isn't used? -_-You don't think that hackers would like to take over most of the servers on the Internet? More importantly: most of the Universities in the world? Heck, do a port scan on any University's block, and you'll find many servers on the network (and on Internet2) that are running very old versions of Apache and Ubuntu 8.04 or an old RHEL--and the webpage they give you says it all right on it! Most enable SSH 1, etc.

IBaStudent wrote:

Nom wrote:

What does that have to do with anything ?Phishing attacks are specifically target at DESKTOP machines - ie, machines with physical users sat in front of them, who can allow the malware access to the system. It's a none-starter for attacking a web server !

...you think that it's impossible to attack someone without a user doing something? >_>I don't think you realize how easy it has been to take over a Windows Server with a DNS attack or something (and by doing this you can take over other machines on the network, someone who accesses that webserver, etc.)And, this is about a botnet, not phishing. Having a 60+ mbps uplink is a lot more powerful than only having a measly consumer 0.4 mbps up. Server OS's also allow more simultaneous connections, etc. The thing is, Linux is just more secure, period. There's been, what, one LOCAL elevated code exploit recently, and only on certain 64-bit systems? (as in, the attacker has to already have access to the machine in the first place)On Windows, we get a huge list of remote code exploits each month that affect just about every version. Linux also gets exploits patched within a few hours to a few days. Windows might take longer than a month.

I disagree with your statement that Linux is "just more secure". Let me point out that I love using Linux and use it at home. Linux is *not* inherently more secure, there are plenty of advisories that come out for all the major distributions. You're comparing vulnerabilities to the Linux kernel with vulnerabilities to an entire operating system when you make statements like Linux has only had 1 remote exploit on certain 64-bit installations and compare it to the Microsoft report that publishes several remote exploits on Windows per month. The Linux kernel is *not*, by itself, an operating system. You mentioned Ubuntu 8.04, if you visit Secunia's web page (http://secunia.com/advisories/product/1 ... stics_2010) you will find that Ubuntu 8.04 has had 93 advisories this year alone, 75% of which are "remote". If someone out there is running an *unpatched* Ubuntu 8.04 installation the bad guys would have plenty of options hack it remotely. The same is true of someone running an *unpatched* Windows 2003 server. The fact that the *unpatched* Windows server wouldn't last 20 minutes exposed to the internet, to me, is a sign that it is being aggressively targeted by the bad guys, not that it is inherently insecure.

Japan's 32.3 percent positive response on the notifications isn't really all that hot, and I would expect it to be even lower here.

Keep in mind, that's only people who used the individual links. I imagine there's a general cleanup page on the site, and people might use that (especially if they actually sending snail mails, who want's to type in cryptic URLs). It also wouldn't count people who take it to a store to fix, or borrow a friends "individual" link, or do nuke & restore, or just buy a new PC.

Probably only amounts to a few more percentage points, but there's no way to know. I guess they could track the number of PCs that stay infected, but if they did I imagine they would have reported those numbers too (privacy concerns?).

No one should be allowed to break into another person's computer, even to stop someone else who has already broken into the computer.

Going beyond that is unethical.

I hate to dispense this bad news to you, but this is already being done on the software front.

Microsoft and Adobe, just to name a couple, will shut software down in the event it's caught to be illegal.

Given this role, I do not see any problem with Microsoft patching its software to block internet access until the user removes the bot... for their protection.

Bots aren't just for DDoS attacks. Several have been reported as being used to transmit child pornography and the law doesn't give a damn if you were aware of it or not.

Try telling your neighbors "The bot made me do it."

My Adobe suite was shut down instantly when it was discovered my legitimate key was compromised by a crack program (by the way, whoever wrote that, burn in hell for the shit you put me through to convince Adobe I bought the software).

But the Cyber Clean operation goes a massive step further than public education. It searches for bot-infected PCs, then engages in a series of "attention rousing activities" to get the user to realize that her computer has been hijacked.

This is why we do not have this in the US. If I find a neighbor's wifi is open and I print out "Call me at ... to lock your wifi! Signed, your neighbor" on their printer, I could have the cops show up on my doorstep. The government doing it would be no better, and the feds would simply be the target of endless lawsuits.

Quote:

they are clogging up your tubes, though!

They're not my tubes. And if you apply this logic fully, get those fuckers off my highway while you're at it!

Quote:

Sorry if a few eggs get broken.

"Give me liberty or give me death," is this country's founding cry. Go elsewhere if you want to give up your liberty. I happen to like mine.

I'm not suggesting that the machines be wiped - simply have their network connectivity disabled with a message left explaining what happened. The alternative, as has been amply demonstrated, is simply unacceptable. Sorry if a few eggs get broken.

The ISPs won't disconnect a paying customer, so I'm sure this will be federal law at some point soonish. It probably won't happen until a botnet does something much more serious then seal a bunch of plebs identities. Something like clean out a major bank or crash the stock market or something. Something congress can't ignore.

What does that have to do with anything ?Phishing attacks are specifically target at DESKTOP machines - ie, machines with physical users sat in front of them, who can allow the malware access to the system. It's a none-starter for attacking a web server !

...you think that it's impossible to attack someone without a user doing something? >_>I don't think you realize how easy it has been to take over a Windows Server with a DNS attack or something (and by doing this you can take over other machines on the network, someone who accesses that webserver, etc.)And, this is about a botnet, not phishing. Having a 60+ mbps uplink is a lot more powerful than only having a measly consumer 0.4 mbps up. Server OS's also allow more simultaneous connections, etc. The thing is, Linux is just more secure, period. There's been, what, one LOCAL elevated code exploit recently, and only on certain 64-bit systems? (as in, the attacker has to already have access to the machine in the first place)On Windows, we get a huge list of remote code exploits each month that affect just about every version. Linux also gets exploits patched within a few hours to a few days. Windows might take longer than a month.

Congratulations, you have no idea what the point of a botnet is. Know why a botnet is hard to take down? Because there are hundreds, thousands, millions of unique machines in the net. "Oh I have one 60+mbps uplink, derp derp." Too bad your entire net goes down with a single repair. Botnets are effective because they're diverse, expansive, and nearly impossible to take down on a system by system basis. Your ignorant derp method would be extremely easy to identify and clean. In other words, targeting servers for botnet purposes is stupid.

With good partnerships between ISP's and trusted / certified botnet detection groups, infected machines could have their connection blocked by the ISP, and be forcefully redirected to the disinfection site whenever their machine makes an HTTP request. Dumb users could only get to disinfection site, something they couldn't ignore. Then once their machine is clean (or the user has done a very serious disclaimer), the disinfection server could send an unblock token back to the ISP. It might also be reasonable to give users an automated warning / confirmation phone call, which could be done by the disinfection system based on a phone number provided by the ISP. These calls could even be done by online request, so weary users would have certainty that the whole thing is not a scam. I will note that this wouldn't be useful behavior for malware to spoof, since it would only call unwanted attention to itself, and a machine would already need to have been compromised to spoof such behavior (not possible from a random website as an initial phishing attack).

By offloading the harder (more expensive) parts of the work onto willing detection groups, we might see willingness to participate by the ISP's, and we might see governments and some businesses step up to the plate. Maybe Microsoft, Apple, Canonical, Google, and/or others would have gainful reasons to take more action against the problem if they had a strong mechanism to force stupid users into using the solution. If done right, the ISP's wouldn't bear much cost from infected users with "why ain't my internets working?" calls. Between reduced botnet traffic and reduced dumb-customer tech support calls about slow / buggy internet (caused by infected machines), the ISP's might even save money. I suspect that there must be enough threat here that a good proactive solution would save someone money.